As I did in a Senate hearing last month, I will try to shift the debate from the supposed need for a "uniform national data breach notification standard" to much more important issues, such as improving consumer rights when they use unsafe debit cards to ensuring that standards for payment card and card network security are set in an open, fair way that holds banks and card networks accountable for forcing merchants and consumers to rely on inherently unsafe, obsolete magnetic stripe cards.

This is a somewhat long-ish blog where I lay out my main recommendations to Congress:

1) Congress should improve debit/ATM card consumer rights and make all plastic equal:

Credit cards are safe, by law. Debit cards have “zero liability” only by promise. The shared risk fraud standard for debit cards under law – where consumers could be liable for up to $500 or more in losses -- appears to be vestigial, or left over from the days when debit cards could only be used with a PIN. Since banks encourage consumers to use debit cards, placing their bank accounts at risk, on the unsafe signature debit platform, this fraud standard should be changed. Compare some of the Truth In Lending Act’s robust credit card protections by law to the Electronic Funds Transfer Act’s weak debit card consumer rights at this FDIC website.

Debit/ATM card customers already face cash flow and bounced check problems while banks investigate fraud under the Electronic Funds Transfer Act. Reducing their possible liability by law, not simply by promise, won’t solve this particular problem, but it will force banks to work harder to avoid fraud. If they face greater liability to their customers and accountholders, they will be more likely to develop better security.

2) Congress should not endorse a specific technology. If Congress takes steps to encourage use of higher standards, its actions should be technology-neutral and apply equally to all players.

“Chip and PIN” and “Chip and signature” are variants of the EMV technology standard commonly in use in Europe. The current pending U.S. rollout of chip cards will allow use of the less-secure Chip and Signature cards rather than the more-secure Chip and PIN cards. Why not go to the higher Chip and PIN authentication standard immediately and skip past Chip and Signature? Further, Congress should not embrace a specific technology. Instead, it should take steps to encourage all users to use the highest possible existing standard. Current standards are developed in a closed system run by the banks and card networks. New standards should be developed in an open system that encourages innovation and applies equally to banks as well as merchants and others.

Further, as most observers are aware, chip technology will only prevent the use of cloned cards in card-present (Point-of-Sale) transactions. It is an improvement over obsolete magnetic stripe technology in that regard, yet it will have no impact on online transactions, where fraud volume is much greater already than in point-of-sale transactions.

Experiments, such as with “virtual card numbers” for one-time use, are being carried out online. It would be worthwhile for the committee to inquire of the industry and the regulators how well those experiments are proceeding and whether requiring the use of virtual card numbers in all online debit and credit transactions should be considered a best practice.

To ensure that improvements continue to be made, the committee should also inquire into the governance and oversight of the development of card network security standards. Do regulators sit on or have oversight over the PCI card security standards board? As I understand it, merchants do not; they are only allowed to sit on what may be a meaningless “advisory” board.

4) Congress should not enact any new legislation sought by the banks to impose their costs of replacement cards on the merchants:

Target should pay its share but this breach was not entirely Target’s fault. Disputes over costs of replacement cards should be handled by contracts and agreements between the players. How could you possibly draft a bill to address all the possible shared liabilities?

5) Congress should not enact any federal breach law that preempts state breach laws or, especially, preempts other state data security rights:

But industry lobbyists (and this isn't only the banks, but includes the chemical industry, car makers, airlines, the drug companies and pretty much everyone else) prefer to enact weak federal laws accompanied by strong limits on the states. That is the wrong way to go. Broad preemption will prevent states from acting as first responders to emerging privacy threats. Congress should not preempt the states. In fact, Congress should think twice about whether a federal breach law that is weaker than the best state laws is needed at all.

6) Congress Should Allow For Private Enforcement and Broad State and Local Enforcement of Any Law It Passes:

The marketplace only works when we have strong federal laws and strong enforcement of those laws, buttressed by state and local and private enforcement.

7) Any federal breach law should not include any “harm trigger” before notice is required:

The better state breach laws, starting with California’s, require breach notification if information is presumed to have been “acquired.” The weaker laws allow the company that failed to protect the consumer’s information in the first place to decide whether to tell them, based on its estimate of the likelihood of identity theft or other harm. Only an acquisition standard will serve to force data collectors to protect the financial information of their trusted customers, accountholders or, as Target calls them, “guests,” well enough to avoid the costs, including to reputation, of a breach.

In 2005 and then again in 2007 the FTC imposed fines on the credit bureau Experian for deceptive marketing of its various credit monitoring products, which are often sold as add-ons to credit cards and bank accounts. Prices range up to $19.99/month. While it is likely that recent CFPB enforcement orders against several large credit card companies for deceptive sale of the add-on products – resulting in recovery of approximately $800 million to aggrieved consumers -- may cause banks to think twice about continuing these relationships with third-party firms, the committee should also consider its own examination of the sale of these credit card add-on products. See my recent post.

Consumers who want credit monitoring can monitor their credit themselves. No one should pay for it. You have the right under federal law to look at each of your 3 credit reports (Equifax, Experian and TransUnion) once a year for free at the federally-mandated central site annualcreditreport.com. Don't like websites? You can also access your federal free report rights by phone or email. You can stagger these requests – 1 every 4 months -- for a type of do-it-yourself no-cost monitoring. And, if you suspect you are a victim of identity theft, you can call each bureau directly for an additional free credit report. If you live in Colorado, Georgia, Massachusetts, Maryland, Maine, New Jersey, Puerto Rico or Vermont, you are eligible for yet another free report annually under state law by calling each of the Big 3 credit bureaus.

And kudos to Discover Card for leading the way in disclosing credit scores on account statements. Director Rich Cordray and the Consumer Financial Protection Bureau have recently launched a campaign to encourage this voluntary practice. It should help end the sale of over-priced credit monitoring. Eventually, we hope credit scores will also be made part of credit reports, so anyone, not just credit card holders, can see them.

9) Review Title V of the Gramm-Leach-Bliley Act and its Data Security Requirements:

The 1999 Gramm-Leach-Bliley Act imposed certain data security responsibilities on regulated financial institutions, including banks. The requirements include breach notification in certain circumstances. The committee should ask the regulators for information on their enforcement of its requirements and should determine whether additional legislation is needed.

10) Congress should investigate the over-collection of consumer information for marketing purposes. More information means more information at risk of identity theft. It also means there is a greater potential for unfair secondary marketing uses of information:

In the Big Data world, companies are collecting vast troves of information about consumers. Every day, the collection and use of consumer information in a virtually unregulated marketplace is exploding. New technologies allow a web of interconnected businesses – many of which the consumer has never heard of – to assimilate and share consumer data in real-time for a variety of purposes that the consumer may be unaware of and may cause consumer harm. Increasingly, the information is being collected in the mobile marketplace and includes a new level of localized information.